Preventing Identity Theft in Your Business
Page 13
Does the consulting fee include the training of company personnel to administer, score, and interpret test results?
Does the consulting fee include a training manual?
Can the I/O specialist develop an interpersonal skills test for which the test results will be unrelated to cognitive ability, motivation, and integrity?
What is the time frame for test development and validation, the writing and production of the test and test manuals, and the training of employees?
Based on comparisons of the experts’ responses and also on supporting evidence for these questions, select one specialist for management to consider as an option to using an existing test.
With this fourth test, the BISP assessment battery is complete. Using the tests in this battery, job applicants will be matched to jobs compatible with their ability and skills: cognitive ability, motivation, and interpersonal skills. The use of these standards guarantees a close person-job fit for new applicants, which is the primary determining factor underlying quality job performance. Moreover, the integrity test provides the first line of defense in guaranteeing the security of customer and coworker personal information. The standards collectively ensure both high job performance as well as information security, beginning with the job analysis requirement. These standards are the foundation of the Business Information Security Program.
Reminder: Are you checking off the completed exercises (Appendix A)?
CHAPTER 15
THE PEOPLE FRONT: SOCIALIZATION, COMPANY CULTURE, AND THE REALISTIC JOB PREVIEW
Beginning with the first day on the job and continuing through a process called “organizational socialization,” employees learn the ethics of the company culture—its rules, procedures, policies, and formal and informal expectations: what is said to be expected and what is actually acceptable, based on other employees’ behaviors. The company culture is the tabula rasa—the blank slate upon which all that follows depends. For information security, an honest company culture is vital. Standard 9 prepares this backdrop for first impressions of your company’s culture of security.
STANDARD 9. COMPANY CULTURE AND THE REALISTIC JOB PREVIEW
Goals: Evaluate, investigate, document, and modify (if necessary) your company’s honest company culture.
Specific Objectives: The four exercises in this chapter are progressive building blocks. They are, in ascending order:
Assess the current company culture.
Further analyze to identify improvements.
Use the results from (1) and (2) to develop a “realistic job preview” document.
Develop short- and long-term strategic plans to implement policies for an honest company culture.
Of these four objectives, the realistic job preview is the standard that carries forth the company’s policies for identity confidentiality. The traditional realistic job preview is simply a discussion, preempting false impressions of what is and what is not acceptable. However, when adapted as a security standard, the realistic job preview incorporates into the discussion security and the consequences of security standards violations.
In addition, the realistic job preview is a tangible document that not only describes the job’s positive and negative characteristics, but also describes the company’s honest culture and specific expectations for maintaining that culture. This document, when first discussed with job applicants and referred to in the same detail later in a job orientation after hire, will leave no doubt as to company rules and coworker expectations for integrity for security.
Orientation
The socialization of a new employee to what is and what is not acceptable by the company’s standards starts much earlier than the first day on the job; it begins with the “job preview” on the applicant’s first contact with the company representative. An initial contact is the primacy point at which time an individual is most impressionable, and it is a critical stage in the selection process when a company first shows its face validity to an outsider. First impressions matter, and it is at this precise time that a company can either manage or leave to chance a job applicant’s perception of the company’s culture.
As the exercises in this chapter will reveal, it takes little time, effort, or cost to inform job candidates that the coworkers in this company expect, enforce, and maintain information security. With this forewarning, conveyed by company representatives through a professionally developed realistic job preview, identity theft perpetrators seeking to hire into a company as either temporary or permanent employees are put on notice that this company is on the alert for violations of its ethical standards.
After the realistic job preview, the company’s desired culture is reinforced through the types of tests used to determine the applicant-job fit. For example, when a company uses the Sociability and Socialization scales as part of the selection process, the values the company portrays are interpersonal compatibility among coworkers and honesty. These values, reflected in the realistic job preview and reinforced through the assessment battery developed in previous chapters, exemplify how these standards are interdependent and work in combination to secure the business borders from identity thefts.
Exercise 1. Assess the Company Culture
Estimated Time: Three Hours
What is your company’s culture? The answer to this question is the first step in creating a company environment that safeguards the confidential information of its employees and customers. To begin this process, use the team approach and the quality-to-security brainstorming method to identify the positive and any negative aspects of the company’s culture. The goal is to identify both ethical and unethical policies or procedures, formal or informal, which would color perceptions of the work culture, in terms of security.
Before beginning step 1, review together the structured, step-by-step instructions in Appendix C for brainstorming so as to closely follow the formal procedures. Use the proper seating arrangement and the flip chart with the following task statement.
Step 1. Task Statement 1—List the procedures and policies of this company that either directly or indirectly reflect the ethical values of honesty and integrity in the workplace. The points generated from this task statement will be included in the realistic job preview document. As a way to trigger ideas during the personal thinking time and the round robin, consider the informal work environment as it is now and the existing formal (written) rules and regulations. When finished, post this chart on a nearby wall for ease in reference when conducting exercise 2. Next, conduct brainstorming for the following task statement.
Step 2. Task Statement 2—List the procedures and policies of this company that either directly or indirectly promote unethical values of honesty and integrity in the workplace. Indirect practices could simply be policies that fail to promote ethical values. For example, an item on the unethical brainstorming list may be “no recognition,” meaning that no recognition is given employees who take precautions to secure confidential business information. When no formal policies recognize or reward positive work practices, the assumption is that these practices are unimportant, that is, not part of the company’s culture.
To help trigger ideas, think about how the informal work environment is now and consider any formal or informal rules or regulations that might discourage honesty in the workplace or conscientious attention to security details. When the exercise is completed, post the chart on the wall next to the ethical chart. Both will be used to conduct the following cause-and-effect analysis.
Exercise 2. Further Analyze to Identify Improvements
Estimated Time: Three Hours
Recall that the Business Information Security Program (BISP) is designed so that each succeeding chapter builds on the previous chapter’s results and that, within chapters, the exercises also build on one another. Recall also that cause-and-effect analysis is a way to organize ideas generated in brainstorming. Problems that can be visualized according to some structured guideline and framework (e.g., cause-and-effect
analysis fishbone with its four M’s used in Chapter 8) help facilitate group discussions to identify resolutions. In exercise 2, therefore, conduct cause- and-effect analysis on the ideas generated in exercise 1. Before beginning, review the step-by-step instructions in Appendix D for conducting cause-and-effect analysis and also the fishbone frameworks displayed in Exhibits D.1 and D.2.
The goals are to eliminate the unethical and to elaborate on the ethical policies and procedures that influence the work environment. Unethical factors may simply be the lack of policies that fail to promote ethics in the workplace. Use a flip chart with the quality-to-security management fishbone framework and the four factors thought to underlie all work-related problems: manpower, method, machine, or material.
Step 1. Examine the Unethical List. Write this problem statement on the flip chart, with a fishbone arrowhead pointing to it: “Factors That May Influence Unethical Company Cultures.” Through group discussion and decision, list each item on the unethical list under one of the four causes of business problems: manpower, method, machine, or material. For example, the “no recognition” item could be categorized either as “manpower” or “method,” where a method could be a policy or procedure.
Next, through group discussion, eliminate each unethical item by generating an opposing alternative policy, procedure, or practice. Referring again to the “no recognition” item on the list, the alternative would be to formally recognize honesty in the workplace through a routinely conducted organizational performance evaluation. (Chapter 17 distinguishes between a personal and an organizational evaluation.) The terms “honesty” and “security” would have been identified in the job analysis for positions that require security, and remember that the Equal Employment Opportunity Commission guidelines pertain to all personnel practices, including performance evaluations.
Replace the unethical opposing items with ethical alternatives under the appropriate category (one of the four M’s) on a new fishbone chart, which will be incremented in step 2 with items from the ethical list. Use the following problem statement for this new flip chart: “Incremental Ways to Reflect the Honest Company Culture.”
Step 2. Now add to the Ethical List (from step 1). On the flip chart titled “Incremental Ways to Reflect the Honest Company Culture,” transfer each item on the list developed in the ethical brainstorming session to one of the four-factor categories: manpower, method, machine, or material. The following realistic job preview will be created using these items.
Exercise 3. Create the Realistic Job Preview
Estimated Time: Four Hours
The team task is to use the lists of items generated in the previous exercises in this chapter to create the text for a realistic job preview document to present to future applicants, detailing among other things company expectations for enforcing and maintaining the security of personal identifying information.
Research on employee turnover shows that employees who are given a realistic preview of the job remain with the company longer. New employees are not surprised when first encountering negative job aspects because the company has not hidden these features but, instead, conscientiously exposed them through a realistic job preview. However, a job preview, if informal, is left to chance interpretations; a formal job preview, presented using descriptive brochures or other documents, clearly informs applicants of company expectations.
This formal job preview document, because it is adapted from the traditional method that focuses only on job performance (and not security), must include the positive and negative features of a job. Because the job specific information will differ depending on the job position, these positive versus negative features can be included as a separate document appended or inserted into the formal job preview document.
This exercise focuses on the incremental list of ethical practices and policies. The goal now is to organize this material into well-written text for a brochure or other document that will become an essential formal company policy for security standards in the workplace.
Exercise 4. Develop the Strategic Plan
Estimated Time: Two–Three Hours
Before making recommendations to management for adopting the improvements in company culture as defined by the realistic job preview (created in the previous exercise 3), develop short- and long-term strategic plans, including specific target dates, for implementing these suggestions. Budgeting may be required to implement some of the items on the ethical list of recommendations and also to format and print the realistic job preview brochure or other document, depending on its design.
The costs involved for developing each standard, over and above the time of the team, can vary, depending on a company’s prerogatives. Budgeting aside, the implementation of these results requires setting specific target dates. For example, if honesty in the workplace is to be incorporated into an organization performance evaluation, then specific dates must be established to conduct routine performance evaluations. Appendix H shows an example of one company’s strategic time plan.
Now use the information generated in this chapter’s exercises to develop and initiate the Security Orientation Program, described next in Chapter 16.
CHAPTER 16
THE PEOPLE FRONT: SOCIALIZING NEWCOMERS TO THE HONEST COMPANY CULTURE
In Chapter 15, the team designed a job preview document that emphasized honesty and integrity and the company’s requirement for information security. In this chapter, the team uses the job preview document together with incremental information for a Security Orientation Program that will reinforce what applicants learn in first contacts and to further introduce new employees to your company’s security standards.
STANDARD 10. THE SECURITY ORIENTATION PROGRAM
Goals: Create measurable actions to promote honesty and security in the workplace and create an agenda for a two-hour Security Orientation Program.
Specific Objectives: Elaborate on the information in the job preview document for use in an orientation program to socialize new employees to your company’s desired culture and its emphasis on the protection of business, customer, and employee identities. Include in this exercise as many current employees as possible: after developing the program, administer it to other employees for feedback and potential modifications.
Orientation
Socialization to an organization begins with the first contact between an interested individual and a company representative. This first contact may be made formally through the company’s recruiter or by another company stakeholder, such as an employee, contractor, or supplier. If made through the company recruiter, the first contact would introduce the potential job applicant to the company’s desired culture through the formal job preview. However, many first contacts are not made through recruiters; instead, individuals learn about jobs through current employees, friends, relatives, or others. Regardless of the type of initial contact, formal or informal, the potential applicant begins to form an impression of the company, and this socialization continues, also formally or informally, after he or she is hired into the company.
When socialization is informal, a new job incumbent learns from supervisors and other employees what is and what is not accepted. Informal information can be noninclusive, incorrect, and inconsistent with company policies. In such cases, security-related decisions are likely to be based on past work experiences and not on your company’s Standards. Companies that develop formal orientation programs do not leave socialization to chance.
Formal socialization is a defined and structured personnel function used to positively influence work behavior. The work behaviors of particular interest, in addition to job performance, are those that will help safeguard confidential information, which is why the Business Information Security Program (BISP) requires as a standard the Security Orientation Program.
Exercise 1. Design the Security Orientation Program
Estimated Time: Four Hours
Exercise 1 in this chapter, unlike previous chapters, first empl
oys brainstorming to generate ideas for each of the four M’s—manpower, method, machines, and materials. Then it categorizes each of these ideas using the fishbone framework (used in previous chapters) for generating further discussion and to trigger additional ideas. Before beginning this exercise, review the step-by-step instructions on formal brainstorming (Appendix C) and cause-and-effect analysis (Appendix D).
Step 1. Develop Measurable Actions. As a team, conduct brainstorming on each of the four M’s (manpower, method, machines, and material) in four separate hour-long brainstorming sessions. For each M, generate a list of measurable actions in which honesty can become an integral part of the company’s culture. In step 2, these actions will form the basis of the written agenda for the Security Orientation Program (and in Chapter 17, they will become part of the organizational performance review). Use the following task statement for the brainstorming flip chart, inserting the appropriate M for each session: “Measurable (e.g., manpower) actions that promote honesty in the workplace.”
From workshop experiences, ideas for measurable actions for manpower and method are the easiest to generate, although the most action-oriented and often creative ideas come from brainstorming on the other two M’s—machines and materials.
For example, machine actions that would help to promote both honesty and security might be rules that: prohibit employees from using other employees’ computers, require computer screens be secured from observation by passersby, and ordain similar security precautions for copy, fax, and other equipment. For materials, a measurable action to promote honesty and security might require special handling or routing of security-related documents, such as applications for credit or loans or documents containing employee health or other benefit information.